Call Yourself A Hacker, Lose Your 4th Amendment Rights

The US District Court for the State of Idaho ruled that an ICS product developer’s computer could be seized without him being notified or even heard from in court primarily because he states on his web site “we like hacking things and don’t want to stop”.

Background

Battelle Energy Alliance is the management and operating contractor for Idaho National Laboratory (INL), and they have brought suit against ex-INL employee Corey Thuen and his company Southfork Security.

It began with the US Department of Energy funding an effort for INL to develop “a computer program aimed at protecting the United States’ critical energy infrastructure (oil, gas, chemical and electrical companies) from cyber attacks.” Corey Thuen was one of the developers of this software program that was later called Sophia.

Sophia identifies new communication patterns on ICS networks. As noted in our 5 Oct 2012 post, this is not novel as Tenable’s Passive Vulnerability Scanner and other products have done this for years. Sophia may have added some intelligence for ICS protocols (I haven’t tested it), and the user interface for a product like this is often the key factor.

Battelle wants to license this technology, NexDefense was selected to negotiate for a license, and the suit states that Corey was pushing for it to be open source. Eventually Corey left INL, created Southfork Security, and wrote a similar “situational awareness” program called Visdom.

In simple terms, the suit alleges that Corey stole the code and violated agreements with INL. I have no idea if he stole the code or what he signed while at INL. He probably had the code, but again the idea is hardly novel. He could have started over with a next generation product on his own. A look at the code would provide the answer, and the answer may be somewhere in the middle as it so often is.

HACKER!

The disturbing part of the ruling is that Battelle asked for and got a restraining order without first notifying Corey/Southfork Security primarily because the Southfork web site said “We like hacking things and we don’t want to stop”. They requested and got an order to knock on his door and seize his computer because he claims to like hacking things on the Southfork web site. From the court decision:

The Court finds it significant that defendants are self-described hackers, who say, “We like hacking things and we don’t want to stop.” …

The Court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy, as the discussion of the case law above demonstrates. The tipping point for the Court comes from evidence that the defendants – in their own words – are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act. (underline added) And concealment likely involves the destruction of evidence on the hard drive of Thuen’s computer. For these reasons, the Court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.

Another factor in issuing the restraining order without notice was:

Battelle must show that the defendants have “a history of disposing of evidence or violating court orders or that persons similar to the adverse party have such a history.” Id. (citing In the Matter of Vuitton et Fils S.A., 606 F.2d 1, 5 (2d Cir. 1979)).

Battelle asserts generally that defendants who have the technical ability to wipe out a hard drive will do precisely that when faced with allegations of wrongdoing.

It is hard to believe the court bought that as proving Corey/Southfork had “a history of disposing of evidence or violating court orders”. Again, Corey may have had Sophia on his computer and done everything wrong, but the evidence the court used to decide to take away some of Corey’s fourth amendment rights was flimsy. Basically he said he liked hacking things and had the skills to wipe a computer.

There was no evidence in the court order that he had ever done this before or had an intention to do this.

Battelle’s lawyers also played the national security card:

Most broadly, releasing Sophia open-source has national security implications. As Battelle puts it, “Defendants plan to give away the keys to Sophia . . . to the very attackers Sophia is meant to thwart.”

This is laughable, but if you are a lawyer your job is to advocate. The problem is Corey/Southfork and their lawyers were not given an opportunity to shoot this down, and the court mentioned “national security concerns” as part of the rationale for their decision.

Battelle / INL may be convinced that Corey is using the Sophia code, breaking agreements and doing other illegal things that affect their money making opportunities. While I don’t agree with many of their points in the case, the real fault lies with the court buying and making the HACKER argument the determining factor.

In the end, a review of the Visdom code would and will indicate whether it is Sophia or not.

Comments

At one point on the Southfork website, it was indeed Sophia listed and not Visdom. In fact, SouthFork even had YouTube videos which showed Sophia, claiming they were looking for investors for their endeavor. So no doubt they had the code. The court order was flimsy, but I’m sure they are using whatever they can to force action.
As you mentioned the national security card is a joke. There are no less than 5 other commercial tools that can do what Sophia does better. They were out there before the Sophia project even started. Shows that DOE didn’t go their homework when they started the project.

Before the term “hacking” got screwed up by the lazy ignorant journalists that didn’t even bother to find out what it meant, it wasn’t a negative term. It still isn’t, though some of the ignorant use it incorrectly.
Hacking is a type of free form and intuitive programming that is often used to write, repair, or improve a computer code. (A hacker is the software version of the guy who rebuilds a 57 chevy into a street rod in his garage.)
Cracking is finding a way to circumvent computer security. (Most of the successful cracking is done with social engineering, aka, they trick someone.)
Vandalism is trashing someone elses stuff. (On the computer or elsewhere, they are still scum.)

I wonder if those judges wanted to arrest Michael Jackson for being a ‘Smooth Criminal’.

Hacker – http://en.wikipedia.org/wiki/Hacker. The definition has been forced the wrong way by popular media and in this case I would say the purpose and intent of the site is using the Ethical sense of the word (as opposed to Cracker).

@Kevin – very good point. Even if hacker used to imply illegal or unethical activity it isn’t the case anymore. The good people at Meriam-Webster have several def’s of “hacker” including: “an expert at programming and solving problems with a computer”. It’s ridiculous a court would be so narrow-minded and one-sided.

This irrational ruling is not a terrible surprise. How can a judge with no technical background make an informed decisions on the merits of a case that require deep technical understanding? Many judges are not even able to rotate a PDF page 90-degrees without assistance from their IT staff.

It appears to me that the Battelle Energy Alliance legal team made many of these allegations in bad faith in an attempt to disrupt their someone they see as competition rather than honestly and fairly address a concern about IP theft.

Furthermore, US tax dollars paid for the development of Sophia, it should be open sourced no matter what.

Any decent lawyer would now go after the warrant and get it quashed. Just because the search was executed doesn’t mean that evidence gathered by a warrant that never should have been issued should be admissible in court. Furthermore this sort of malarkey should be grounds to get the case thrown out altogether as clearly the court is incompetent to adjudicate these facts.

So.. I’m confused. Does this then mean people who label themselves in other colorful ways, like “shoot to kill”, “assassin”, “anarchist”, etc. are then guilty through self-labelling and thus subject to arrest, search, seizure without due process!?

By extension, does that mean that police should employ lethal force against anyone who claims they skilled fighters, gun experts, “experts at setting traps”, etc?

There is some seriously messed up logic to the decision that the court made, to allow for seizure and now copying of data from a hard drive/computer that is personal property.

I feel bad for the actors and lawyers if they are ever to be accused of something, as none of their testimony would be admitable, since by the reasoning above, the two categories are skilled and expert withholders of information or can misrepresent information in a highly convincing manner.

I get that “hacker” has a negative connotation. For the same reason “lawyer” and “politician” do, because they are often associated with illegal or immoral acts in popular media. Moreso, of course. But, I hope common sense sets in here, because this gives all appearances of a corrupt judge looking for an excuse to bend the rules. But then maybe I’m just biased b/c that’s what I see on TV. I hope the court identifies the same irony.

@AdamCrain and @John has the real argument there. Did a cursory search for the grant award, but couldn’t find it, but the terms for publishing to the public should be there.

How about this explanation: Some lawyers are white hats, some are black hats. The legal system is, in many ways, like a computer system. There are rules for interacting with it, and not all of them are enforced, so a lot of times you can sneak things through that you shouldn’t be allowed to. So, a lawyer will throw whatever he can into the system, and see what sticks.

Allowing the system to be exploited by classifying someone a ‘hacker’ when the term itself is used in a lot of different contexts shouldn’t be allowed. I wonder if the judge rejected the argument, or allowed it. But, I’ve got other stuff to do right now.

Saying a hacker has the intent to do those things is like saying a gun owner has the “intent” to go out and shoot someone. In neither scenario is the ability to do something any real indicator of intent. It’s simply a wrong conclusion on the part of the court, and as a result any evidence gathered from his hard drive should be fought as inadmissible.

“Everyone who owns a computer has the technical ability to wipe out their own hard-drive.

It’s called formatting.”

A self proclaimed hacker is saying he has not only the knowledge, but he has the knowledge to do a more destructive formatting. Data on a hard drive doesn’t simply disappear with a format. In order for it to disappear, you have to fill the hard drive up with crap… multiple times… Granted, this doesn’t happen automatically or instantly, but still.

The Fourth Amendment (or the Fifth Amendment, since we’re talking about property) does not apply in this case because it is an application for a TRO between two private parties. There is no “state action.” The headline is not only misleading, but erroneous, and detracts from the issue at hand.

Seems this judge failed to do his job and didn’t even bother to make sure he had his facts straight and his definitions straight. A simple reading of the IETF RFC1392 would have cleared this matter up, by giving him the proper definition of the word “hacker” and enlightened him about the difference between a “hacker” and a “cracker”.

I agree that the 4th Amendment is not in play here. The relevant law is the copyright statute and Fed.R.Civ.P. 65. A temporary restraining order (“TRO”) in a civil case between private parties where no government search or seizure is involved does not present 4th Amendment issues.

I’ll observe as a retired lawyer with lots of years spent in federal court cases that the judge’s order is staggeringly weak, with the reliance on the “hacker” admission by the defendants on their web site only one facet of a very weak argument by the Court. Most glaringly, the judge’s order prohibits the defendants from publishing their program, which raises an enormous “prior restraint” 1st Amendment issue that the Court does not address (and that the plaintiff’s lawyers apparently did not address as well).

For example, the Supreme Court held in New York Times Co. v. United States, 403 U.S. 713, 714 (1971) that the New York Times could not be prohibited from publishing portions of the infamous Pentagon Papers, notwithstanding claims based on national security grounds, saying, “Any system of prior restraints of expression comes to this Court bearing a heavy presumption against its constitutional validity. … The Government ‘thus carries a heavy burden of showing justification for the imposition of such a restraint.'” The Court in that case cited in support of that proposition, inter alia, to its prior decision in Organization for a Better Austin v. Keefe, 402 U.S. 415, 419 (1971), a case in which the Court overturned state court injunctions against pamphleteers who had distributed leaflets that were critical of a real estate broker’s business practices.

The Better Austin case is highly analogous to the situation in the subject Battelle case, with private parties on both sides of courtroom bench. It’s near-blackletter law that prior restraints on publication are virtually always unlawful when a money damages remedy is available, the situation in the Battelle case.

The Court’s technically illiterate “hacker” argument is a giant stretch, particularly in an ex parte TRO context. There is also a big issue around the Court’s wording that requires the defendants to allow copying of a *single* hard drive, identified only as “Thuen’s computer hard drive,” without further information identifying the particular computer or drive. Compare ordered relief § 2(c) with §§ 2(b) and (f) (respectively produce a single hard drive for copying but to preserve all evidence on multiple computers’ hard drives). The Court was clearly aware that more than one drive may contain relevant evidence but ordered production of only a single drive for copying.

TROs and other forms of injunctions are supposed to leave no doubt as to what the party subject to the order is required to do, so there is a particularity issue here if defendant Thuen possesses more than a single hard drive.

A TRO can be appealed immediately. Were I representing the defendants, I would have been sorely tempted to respond with a motion before the Court of Appeals to stay the District Court’s order pending resolution of an appeal on grounds that both Rule 65 and the First Amendment were violated in the TRO’s issuance.

But the motion for preliminary injunction was set for hearing on October 17 . Does anyone know what has happened since the TRO was issued on October 15?

Pretty sad state when an individual’s liberty can be so easily usurped because of harmless marketing claims on a web site. That judge is beyond stupid. He should be disbarred and kept away from the bench for the sake of anyone who depends on justice from that court. And Battelle should be censured for abusing their discretion in this. Seems their interest was more in hurting Southfork than protecting IP.

The truth is that the media has ruined the term hacker to the point that the mainstream connotation (illegal computer security breaker) is the only one recognized. This has been going on for 30 years, it’s not going to get fixed. (Like the Swastika was a symbol of peace before the Nazi Party adopted it, now it’s recognized primarily for it’s negative connotations.)

It’s time to find new names. It won’t be easy, or find anything past simple majority (groups who disagree with the zeitgeist will splinter or remain as they are in defiance), but there’s no saving the term anymore. It’s dead.

As for the National Security card that would imply that the DOE was no longer in development but already in production use of the application.

Any NDAs or other agreements signed by contractors / subcontractors with the government should allow for damages due to improper disclosure to the Open Source community.

Development work performed for the DOE should have occurred using government procured hardware and software. If not, that work should be protected under a government / contractor agreement. In any event the product was developed as a “work for hire” for the government by a contractor.

If the developer co-mingled personal data with government data, then I could see the claims for seizure of personal assets. There should be a case for illegal search / seizure by the plaintiff unless the prosecution was able to prove other criminal / malicious intent via forensics (logs, backups, network monitors) performed by the IG for the DOE on / through DOE systems. When the IG or other federal agents show up at your door, they generally have you dead to rights by a number of methods.

All that said. Although, I don’t believe that the particular ruling based on the free speech claim of “We like hacking things and we don’t want to stop.” will pass a causality challenge in an appeals court. This is just a tactic to use until the rest of the evidence is ready. I do believe that the media is sensationalizing for attention. The plaintiff is likely in a lot more trouble once the “other” charges are added to the case once discovery, chain of custody and criminal procedures play out.

my last name is really ” Hack ” and it’s confused online all the time as ” hacker ” should i change my name ? i grew up knowing hackers are not all bad people, it’s the redhat & crackers you have to watch out for. where would be be if he didn’t have good hackers AKA blackhats..

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.